Concrete signature match: Trojan - Appears legitimate but performs malicious actions for macOS platform, family Amos
This is a macOS Trojan (Amos family) detected with high confidence via concrete signatures and behavioral analysis. It specifically targets and steals cryptocurrency wallet data from applications like Wasabi, Exodus, Atomic, and Guarda, posing a critical financial threat.
No specific strings found for this threat
rule Trojan_MacOS_Amos_AO_2147919063_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MacOS/Amos.AO!MTB"
threat_id = "2147919063"
type = "Trojan"
platform = "MacOS: "
family = "Amos"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_MACHOHSTR_EXT"
threshold = "11"
strings_accuracy = "Low"
strings:
$x_5_1 = "walletwasabi/client/Wallets/" ascii //weight: 5
$x_5_2 = "Exodus/exodus.wallet/" ascii //weight: 5
$x_1_3 = "atomic/Local Stveldb/" ascii //weight: 1
$x_1_4 = "Guarda/Local Storage/leveldb/" ascii //weight: 1
$x_1_5 = {ff 43 01 d1 fd 7b 04 a9 fd 03 01 91 a0 83 1f f8 a8 83 5f f8 e8 07 00 f9 e0 83 00 91 e0 03 00 f9 61 00 00 f0 21 f8 06 91 6a ?? ?? ?? e1 03 40 f9 e2 07 40 f9 e0 03 02 aa} //weight: 1, accuracy: Low
condition:
(filesize < 20MB) and
(
((2 of ($x_5_*) and 1 of ($x_1_*))) or
(all of ($x*))
)
}dea72cdd7c9dfc49f0a19581086c8e6e99b000dc33f461ece8b9f37c1bd7068dImmediately isolate the compromised macOS device to prevent further data exfiltration. Perform a full system scan with updated antivirus software to remove the threat, then promptly change all cryptocurrency wallet passwords and transfer funds to a secure, uncompromised wallet or cold storage. Monitor financial accounts for unauthorized transactions and reinforce security awareness regarding phishing and suspicious downloads.